metadata name = 'Azure SQL Server Vulnerability Assessments'
metadata description = 'This module deploys an Azure SQL Server Vulnerability Assessment.'

@description('Required. The name of the vulnerability assessment.')
param name string

@description('Conditional. The Name of SQL Server. Required if the template is used in a standalone deployment.')
param serverName string

@description('Optional. The recurring scans settings.')
param recurringScans recurringScansType = {
  emails: []
  emailSubscriptionAdmins: false
  isEnabled: false
}

@description('Required. A blob storage to hold the scan results.')
param storageAccountResourceId string

@description('Optional. Use Access Key to access the storage account. The storage account cannot be behind a firewall or virtual network. If an access key is not used, the SQL Server system assigned managed identity must be assigned the Storage Blob Data Contributor role on the storage account.')
param useStorageAccountAccessKey bool = false

@description('Optional. Create the Storage Blob Data Contributor role assignment on the storage account. Note, the role assignment must not already exist on the storage account.')
param createStorageRoleAssignment bool = true

resource server 'Microsoft.Sql/servers@2023-08-01' existing = {
  name: serverName
}

// Assign SQL Server MSI access to storage account
module storageAccount_sbdc_rbac 'modules/nested_storageRoleAssignment.bicep' = if (!useStorageAccountAccessKey && createStorageRoleAssignment) {
  name: '${server.name}-sbdc-rbac'
  scope: resourceGroup(split(storageAccountResourceId, '/')[2], split(storageAccountResourceId, '/')[4])
  params: {
    storageAccountName: last(split(storageAccountResourceId, '/'))
    managedInstanceIdentityPrincipalId: server.identity.principalId
  }
}

resource vulnerabilityAssessment 'Microsoft.Sql/servers/vulnerabilityAssessments@2023-08-01' = {
  name: name
  parent: server
  properties: {
    storageContainerPath: 'https://${last(split(storageAccountResourceId, '/'))}.blob.${environment().suffixes.storage}/vulnerability-assessment/'
    storageAccountAccessKey: useStorageAccountAccessKey
      ? listKeys(storageAccountResourceId, '2019-06-01').keys[0].value
      : any(null)
    recurringScans: recurringScans
  }
}

@export()
@description('The type for recurring scans.')
type recurringScansType = {
  @description('Required. Specifies an array of e-mail addresses to which the scan notification is sent.')
  emails: string[]

  @description('Optional. Specifies that the schedule scan notification will be sent to the subscription administrators.')
  emailSubscriptionAdmins: bool?

  @description('Optional. Recurring scans state.')
  isEnabled: bool?
}

@description('The name of the deployed vulnerability assessment.')
output name string = vulnerabilityAssessment.name

@description('The resource ID of the deployed vulnerability assessment.')
output resourceId string = vulnerabilityAssessment.id

@description('The resource group of the deployed vulnerability assessment.')
output resourceGroupName string = resourceGroup().name
